kd> lm a nt start end module name 81000000 81751000 nt (private pdb symbols) C:\symbols\pcread\wrkx86.pdb kd> dt nt!_IMAGE_DOS_HEADER -y e_l* 81000000 +0x018 e_lfarlc : 0x40 +0x03c e_lfanew : 600 kd> dt nt!_IMAGE_NT_HEADERS 81000000+600 +0x000 Signature : 0x1268 +0x004 FileHeader : _IMAGE_FILE_HEADER +0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER kd> dt nt!_IMAGE_OPTIONAL_HEADER -y add* 81000000+600+18 +0x010 AddressOfEntryPoint : 0x34c4 kd> ln 0x34c4+81000000 (810034c0) nt!_real+0x4 | (810034c8) nt!`string' 此处为nt!_real+0x4 为什么不是nt!KiSystemStartup???
如利用!dh显示,如下:
kd> !dh 81000000 -f
File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 16 number of sections 49F0278C time date stamp Thu Apr 23 16:32:12 2009
0 file pointer to symbol table 0 number of symbols E0 size of optional header 10E characteristics Executable Line numbers stripped Symbols stripped 32 bit word machine
OPTIONAL HEADER VALUES 10B magic # 7.10 linker version 1DA200 size of code 56C200 size of initialized data 0 size of uninitialized data 6FB6AC address of entry point 。
kd> ln 6FB6AC+81000000 C:\WRK-v1.2\base\ntos\ke\i386\newsysbg.asm(174) (816fb6ac) nt!KiSystemStartup | (816fb9b6) nt!$$$00003 Exact matches:
|